I posted this question on the OpenVPN Support Forum and I'm not getting anywhere. It appears my OpenVPN Connect is looking for a version number in the OpenVPN server certificate but none of the certificates appear to contain any version information. Here is a link to my post on OpenVPN Support Forum: https://forums.openvpn.net/viewtopic.php?f=36&t=25955&p=77920#p77920 If anyone has a solution or idea where to begin troubleshooting this I would be very appreciative!

Most likely that is a problem with the client/OS/ssl library and not pfSense.

I spot checked a few certs made as recently as today and as far back as 2007 and they all had version information.

Thanks for the reply! I'm confused though because I'm loading user certs exported by the pfSense openvpn-client-export package (1.4.14) and I've looked through all of the different export files and none of them have anything regarding a version number. What part of the client/OS/ssl library would be involved since my certs are imported from pfSense? Do you use the openvpn-client-export package in pfSense to export your OpenVPN user certs or how do you do it?

The certificate information I showed would be the same no matter how the certificate was exported. It's embedded in the certificate itself and could not be changed automatically depending on how it was downloaded. There is no way your certificate would be missing that, unless you created it somewhere else (not on pfSense) or you are looking in the wrong place.

The certificate information I showed would be the same no matter how the certificate was exported. It's embedded in the certificate itself and could not be changed automatically depending on how it was downloaded. There is no way your certificate would be missing that, unless you created it somewhere else (not on pfSense) or you are looking in the wrong place.

Okay, now we are getting somewhere. I downloaded the Viscosity.visc from the pfSense Client Export utility and ran the openssl command that you used and there is definitely a version number:

I was originally opening the cert files with gedit as well as using the cat command and it just showed the certificate key…sorry, I was unaware you had to run that openssl command. So any ideas why I still get incorrect version number? I've tried OpenVPN for Android and OpenVPN Connect on Android but still same issue?

Note in your error that it is not complaining about the client or server certificate, but the CA certificate. Perhaps there is something amiss there. Maybe the CA certificate you selected in the server is not valid in some way.

Note in your error that it is not complaining about the client or server certificate, but the CA certificate. Perhaps there is something amiss there. Maybe the CA certificate you selected in the server is not valid in some way.

Is it because ca.crt is Version 4 and cert.crt is Version 3 (pulled from the Viscosity.visc file):

This is where I get confused. For example, I have a ca.crt and a server2.ca; I don't understand how these two files interact (and why I need two of them) and why they appear to be similar files but the extensions are different…but that's just my ignorance.

But what is that CA? Is it actually the correct CA for your server cert? What is selected on the server? How was everything created?

I created everything in the pfSense –> Certficate Manager

Here is pfSense --> VPN --> OpenVPN --> Servers:

Refer to: Servers.png

pfSense --> VPN --> OpenVPN --> Client Export

Refer to: Client Export.png

pfSense --> System --> Certificate Manager --> CAs

Refer to: CA's.png

pfSense --> System --> Certificate Manager --> Certificates

Refer to: Certificates.png

Does that help any? I was trying to screen shot what I thought was relevant, I did this a long time ago and have not had any problems or interaction with this setup until now so I'm having trouble remembering.

I use my iphone and ipad both with the vpn client and have never seen such an issue.

Maybe your just trying to use the wrong export. For iphone/ipad use the openvpn connect (ios/android) one..

I email the ovpn file and import it right on my phone or ipad..

Thanks for the reply, I was the same boat…never had an issue until now. I also emailed the ovpn file to my device(s) and it would work great! I'm running pfSense as a VM on Proxmox so I'm about ready to create a clone and start hacking it up in order to figure out what's going on. I may just do a reinstall if I cannot figure it out because something has gone wrong.

OK, so the first CA you showed the version for is probably your client/VPN provider (expressvpn) and not the one used by your remote access VPN.

From the looks of everything you have there it should be OK. I'd still blame the client in this case. Make sure the OS and apps are up-to-date. There was a similar bug not too long ago that turned out to be a client issue, but IIRC an app update fixed it soon after.

OK, so the first CA you showed the version for is probably your client/VPN provider (expressvpn) and not the one used by your remote access VPN.

From the looks of everything you have there it should be OK. I'd still blame the client in this case. Make sure the OS and apps are up-to-date. There was a similar bug not too long ago that turned out to be a client issue, but IIRC an app update fixed it soon after.

If so that is actually the ca.crt file from the Viscosity.visc bundle that I downloaded from: pfSense –> VPN --> OpenVPN --> Client Export (the Client Export.png screenshot shows the download link (Viscosity Bundle), it's all the way on the right side of that screenshot). That is definitely for my remote access and NOT for ExpressVPN. I have always downloaded my files from the Client Export in the past and it worked but do you think you might be on to something as it does show a different version number than the other CA's?

Since you won't post the rest of the certificate it's impossible to say what it means. Read it and see what is there.

If it isn't the correct CA, I don't see how it could have ended up in that bundle. It goes by what's set on the server, and it doesn't offer anything to download that doesn't match.

I was not trying to be difficult by not posting the rest of my certificate, I was just being cautious. I generated new Certs and CA's in the Certificate Manager and all works great now! Thank you for all your help as you pointed me in the right direction! Now when I download the Viscosity.visc bundle and look at the version of ca.crt it says: Version 3. Who knows what happened, maybe something during one of my pfSense upgrades as I have not touched those settings in a few years. Thanks again!